Configuring a Password Policy
You can configure a password policy for:
- Your own users: your direct child reseller or customer account users
- Child account users: your reseller or customer account users.
To configure a password policy, complete the following steps:
- In Operations PCP, go to Services > Identity Service > Password Policy.
-
Specify the following password-related settings:
-
General Settings
- Minimum password length: the minimum length for a password to be valid.
- Blacklist weak passwords: a password is verified as not existing in the fixed and pre-defined blacklist.
- Prohibit username-based passwords: a username cannot be used as a password.
-
Required Character Types
- Digits: digits are required for a password to be valid.
- Uppercase: uppercase characters are required for a password to be valid.
- Lowercase: lowercase characters are required for a password to be valid.
- Special symbols: special symbols are required for a password to be valid, they are
()[]#,.;@&*-_+!
.Important: A password must include at least one character from this group.
-
Password Expiration
- Password expiration: if selected, a password will have an expiration period.
- Expiration period, days: the number of days after which a password is considered expired.
- Number of previous passwords to prohibit: the number of previously used passwords that cannot be used as a new password.
-
Two-Factor Authentication
- Enable: if selected, a two-factor authentication is enabled. For more information, refer to keycloak documentation.
- One Time Password Type: Select Time Based or Counter Based.
- Look-ahead Window:
- For Time Based: Specify how many intervals ahead should the server try to match the hash.
- For Counter Based Specify how many counters ahead should the server try to match the hash.
-
Initial Counter (for Counter Based only): Specify the value of the initial counter.
Note:
For the time-based type, the following applications are supported:
- FreeOTP
- Google Authenticator
- Microsoft Authenticator
For the counter-based type, the following application is supported:
- FreeOTPResetting One-Time Password
In case of a user's smartphone is lost, or in the other circumstances, you can reset a one-time password (OTP) setting. To do this, complete the following steps:
- Log in to the Keycloak administration panel.
- Open a security realm that corresponds to a brand in which a user needs to log in.
- Go to Users and click the user account.
- Go to Credentials. Under Manage Credentials, find credentials with the OTP type and delete it to reset the OTP for the user.
-